Documentation ¶
Overview ¶
The bakery package layers on top of the macaroon package, providing a transport and storage-agnostic way of using macaroons to assert client capabilities.
Index ¶
- Constants
- Variables
- func DischargeAll(m *macaroon.Macaroon, ...) ([]*macaroon.Macaroon, error)
- type Caveat
- type CaveatNotRecognizedError
- type FirstPartyChecker
- type FirstPartyCheckerFunc
- type Key
- type KeyPair
- type NewServiceParams
- type PublicKey
- type PublicKeyLocator
- type PublicKeyLocatorMap
- type PublicKeyRing
- type Request
- type Service
- func (svc *Service) AddCaveat(m *macaroon.Macaroon, cav Caveat) error
- func (svc *Service) Discharge(checker ThirdPartyChecker, id string) (*macaroon.Macaroon, error)
- func (svc *Service) Location() string
- func (svc *Service) NewMacaroon(id string, rootKey []byte, caveats []Caveat) (*macaroon.Macaroon, error)
- func (svc *Service) NewRequest(checker FirstPartyChecker) *Request
- func (svc *Service) Store() Storage
- type Storage
- type ThirdPartyChecker
- type ThirdPartyCheckerFunc
- type VerificationError
Constants ¶
const KeyLen = 32
KeyLen is the byte length of the Ed25519 public and private keys used for caveat id encryption.
const NonceLen = 24
NonceLen is the byte length of the nonce values used for caveat id encryption.
Variables ¶
var ErrNotFound = errors.New("item not found")
Functions ¶
func DischargeAll ¶
func DischargeAll( m *macaroon.Macaroon, getDischarge func(firstPartyLocation string, cav macaroon.Caveat) (*macaroon.Macaroon, error), ) ([]*macaroon.Macaroon, error)
DischargeAll gathers discharge macaroons for all the third party caveats in m (and any subsequent caveats required by those) using getDischarge to acquire each discharge macaroon.
Types ¶
type Caveat ¶
Caveat represents a condition that must be true for a check to complete successfully. If Location is non-empty, the caveat must be discharged by a third party at the given location. This differs from macaroon.Caveat in that the condition is not encrypted.
type CaveatNotRecognizedError ¶
type CaveatNotRecognizedError struct {
Caveat string
}
func (*CaveatNotRecognizedError) Error ¶
func (e *CaveatNotRecognizedError) Error() string
type FirstPartyChecker ¶
FirstPartyChecker holds a function that checks first party caveats for validity.
If the caveat kind was not recognised, the checker should return ErrCaveatNotRecognised.
type FirstPartyCheckerFunc ¶
func (FirstPartyCheckerFunc) CheckFirstPartyCaveat ¶
func (c FirstPartyCheckerFunc) CheckFirstPartyCaveat(caveat string) error
type KeyPair ¶
KeyPair holds a public/private pair of keys. TODO(rog) marshal/unmarshal functions for KeyPair
type NewServiceParams ¶
type NewServiceParams struct { // Location will be set as the location of any macaroons // minted by the service. Location string // Store will be used to store macaroon // information locally. If it is nil, // an in-memory storage will be used. Store Storage // Key is the public key pair used by the service for // third-party caveat encryption. Key *KeyPair // Locator provides public keys for third-party services by location when // adding a third-party caveat. // It may be nil, in which case, no third-party caveats can be created. Locator PublicKeyLocator }
NewServiceParams holds the parameters for a NewService call.
type PublicKeyLocator ¶
type PublicKeyLocator interface { // PublicKeyForLocation returns the public key matching the caveat or // macaroon location. It returns ErrNotFound if no match is found. PublicKeyForLocation(loc string) (*PublicKey, error) }
PublicKeyLocator is used to find the public key for a given caveat or macaroon location.
type PublicKeyLocatorMap ¶
PublicKeyLocatorMap implements PublicKeyLocator for a map. Each entry in the map holds a public key value for a location named by the map key.
func (PublicKeyLocatorMap) PublicKeyForLocation ¶
func (m PublicKeyLocatorMap) PublicKeyForLocation(loc string) (*PublicKey, error)
PublicKeyForLocation implements the PublicKeyLocator interface.
type PublicKeyRing ¶
type PublicKeyRing struct {
// contains filtered or unexported fields
}
PublicKeyRing stores public keys for third-party services, accessible by location string.
func NewPublicKeyRing ¶
func NewPublicKeyRing() *PublicKeyRing
NewPublicKeyRing returns a new PublicKeyRing instance.
func (*PublicKeyRing) AddPublicKeyForLocation ¶
func (kr *PublicKeyRing) AddPublicKeyForLocation(loc string, prefix bool, key *PublicKey)
AddPublicKeyForLocation adds a public key to the keyring for the given location or location prefix. It is safe to call methods concurrently on this type.
func (*PublicKeyRing) PublicKeyForLocation ¶
func (kr *PublicKeyRing) PublicKeyForLocation(loc string) (*PublicKey, error)
PublicKeyForLocation implements the PublicKeyLocator interface.
type Request ¶
type Request struct {
// contains filtered or unexported fields
}
Request represents a request made to a service by a client. The request may be long-lived. It holds a set of macaroons that the client wishes to be taken into account.
Methods on a Request may be called concurrently with each other.
func (*Request) AddClientMacaroon ¶
func (req *Request) AddClientMacaroon(m *macaroon.Macaroon)
AddClientMacaroon associates the given macaroon with the request. The macaroon will be taken into account when req.Check is called.
TODO(rog) provide a way of deleting client macaroons?
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
Service represents a service which can use macaroons to check authorization.
func NewService ¶
func NewService(p NewServiceParams) (*Service, error)
NewService returns a new service that can mint new macaroons and store their associated root keys.
func (*Service) AddCaveat ¶
AddCaveat adds a caveat to the given macaroon.
If it's a third-party caveat, it uses the service's caveat-id encoder to create the id of the new caveat.
func (*Service) Discharge ¶
func (svc *Service) Discharge(checker ThirdPartyChecker, id string) (*macaroon.Macaroon, error)
Discharge creates a macaroon that discharges the third party caveat with the given id. The id should have been created earlier by a Service. The condition implicit in the id is checked for validity using checker, and then if valid, a new macaroon is minted which discharges the caveat, and can eventually be associated with a client request using AddClientMacaroon.
func (*Service) NewMacaroon ¶
func (svc *Service) NewMacaroon(id string, rootKey []byte, caveats []Caveat) (*macaroon.Macaroon, error)
NewMacaroon mints a new macaroon with the given id and caveats. If the id is empty, a random id will be used. If rootKey is nil, a random root key will be used. The macaroon will be stored in the service's storage.
func (*Service) NewRequest ¶
func (svc *Service) NewRequest(checker FirstPartyChecker) *Request
NewRequest returns a new client request object that uses checker to verify caveats.
type Storage ¶
type Storage interface { // Put stores the item at the given location, overwriting // any item that might already be there. // TODO(rog) would it be better to lose the overwrite // semantics? Put(location string, item string) error // Get retrieves an item from the given location. // If the item is not there, it returns ErrNotFound. Get(location string) (item string, err error) // Del deletes the item from the given location. Del(location string) error }
Storage defines storage for macaroons. Calling its methods concurrently is allowed.
func NewMemStorage ¶
func NewMemStorage() Storage
NewMemStorage returns an implementation of Storage that stores all items in memory.
type ThirdPartyChecker ¶
type ThirdPartyChecker interface {
CheckThirdPartyCaveat(caveatId, caveat string) ([]Caveat, error)
}
ThirdPartyChecker holds a function that checks third party caveats for validity. If the caveat is valid, it returns a nil error and optionally a slice of extra caveats that will be added to the discharge macaroon. The caveatId parameter holds the still-encoded id of the caveat.
If the caveat kind was not recognised, the checker should return ErrCaveatNotRecognised.
type ThirdPartyCheckerFunc ¶
func (ThirdPartyCheckerFunc) CheckThirdPartyCaveat ¶
func (c ThirdPartyCheckerFunc) CheckThirdPartyCaveat(caveatId, caveat string) ([]Caveat, error)
type VerificationError ¶
type VerificationError struct {
Reason error
}
func (*VerificationError) Error ¶
func (e *VerificationError) Error() string
Directories ¶
Path | Synopsis |
---|---|
The checkers package provides some standard caveat checkers and checker-combining functions.
|
The checkers package provides some standard caveat checkers and checker-combining functions. |
This example demonstrates three components: - A target service, representing a web server that wishes to use macaroons for authorization.
|
This example demonstrates three components: - A target service, representing a web server that wishes to use macaroons for authorization. |